liu.seSearch for publications in DiVA
EnglishSvenskaNorsk
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • oxford
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Network-based Anomaly Detection for SCADA Systems: Traffic Generation and Modeling
Linköping University, Department of Computer and Information Science, Software and Systems. Linköping University, Faculty of Science & Engineering.ORCID iD: 0000-0003-2596-9355
2022 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

Supervisory Control and Data Acquisition (SCADA) systems control and monitor critical infrastructure in society, such as electricity transmission and distribution systems. Modern SCADA systems are increasingly adopting open standards and being connected to the Internet to enable remote control. A boost in sophisticated attacks against SCADA systems makes SCADA security a pressing issue. An Intrusion Detection System (IDS) is a security countermeasure that monitors a network and tracks unauthenticated activities inside the network. Most commercial IDSs used in general IT systems are signature-based, by which an IDS compares the system behaviors with known attack patterns. Unfortunately, recent attacks against SCADA systems exploit zero-day vulnerabilities which are undetectable by signature-based IDSs. 

This thesis aims to enhance SCADA system monitoring by network-based anomaly detection that models normal behaviors and finds deviations from the model. With network-based anomaly detection, zero-day attacks are possible to detect. There are two main challenges for network-based anomaly detection. The first challenge is the potentially large number of false positives coming from benign traffic that just deviates from the trained model due to the noises. To address this challenge, this thesis proposes several traffic modeling approaches based on statistics and machine learning techniques for the regular communication patterns in SCADA traffic. The second challenge is the lack of open datasets to evaluate the proposed approaches. Consequently, this thesis proposes a traffic generation framework. 

For traffic modeling, this thesis first categorises SCADA traffic into two groups, request-response and non-requested traffic, and studies data collected in a diverse set of protocol for-mats (Modbus, Siemens S7, S7+, MMS, IEC-60870-5-104). The request-response traffic is generated by a polling mechanism. For this type of traffic, we model the inter-arrival times for each request and response pair with a statistical approach. Results presented in this thesis show that request-response traffic exists in several SCADA traffic sets collected from systems with different sizes and settings. The proposed statistical approach for request-response traffic can detect attacks having subtle changes in timing. 

The non-requested traffic is generated by remote terminal units at predefined times or when they see significant changes in measurement values. For this type of traffic, we first use a pattern mining approach to find the timing characteristics of the data. Then, we model the suggested attributes with machine learning approaches. We test our anomaly detection model with two types of attacks. One causes persistent anomalies and another only causes intermittent ones. Our anomaly detector exhibits a 100% detection rate with at most 0.5% false positive rate for the attacks with persistent anomalies. For the attacks with intermittent anomalies, we find our approach effective when anomalous patterns last for a longer period (over 30 minutes). 

For traffic generation, this thesis conducts a comparative analysis between network traces collected from testbeds and a real power utility. The analysis shows that the testbed traffic may be prone to overly regular patterns. This is considered to be the result of lack of plausible human interactions within the testbed. Therefore, this thesis proposes a traffic generation framework built upon a virtual testbed. The framework provides programmable BOTs to mimic human activities such as commands from the operators and attacks. 
Place, publisher, year, edition, pages
Linköping: Linköping University Electronic Press, 2022. , p. 55
Series
Linköping Studies in Science and Technology. Dissertations, ISSN 0345-7524 ; 2266
National Category
Computer Systems
Identifiers
URN: urn:nbn:se:liu:diva-189703DOI: 10.3384/9789179295189ISBN: 9789179295172 (print)ISBN: 9789179295189 (electronic)OAI: oai:DiVA.org:liu-189703DiVA, id: diva2:1708305
Public defence
2022-12-19, Ada Lovelace, B-building, Campus Valla, Linköping, 13:15 (English)
Opponent
Supervisors
Funder
Swedish Civil Contingencies AgencyAvailable from: 2022-11-03 Created: 2022-11-03 Last updated: 2022-11-21Bibliographically approved
List of papers
1. Timing-Based Anomaly Detection in SCADA Networks
Open this publication in new window or tab >>Timing-Based Anomaly Detection in SCADA Networks
2018 (English)In: Critical Information Infrastructures Security, Springer, 2018, p. 48-59Conference paper, Published paper (Refereed)
Abstract [en]

Supervisory Control and Data Acquisition (SCADA) systems that operate our critical infrastructures are subject to increased cyber attacks. Due to the use of request-response communication in polling, SCADA traffic exhibits stable and predictable communication patterns. This paper provides a timing-based anomaly detection system that uses the statistical attributes of the communication patterns. This system is validated with three datasets, one generated from real devices and two from emulated networks, and is shown to have a False Positive Rate (FPR) under 1.4%. The tests are performed in the context of three different attack scenarios, which involve valid messages so they cannot be detected by whitelisting mechanisms. The detection accuracy and timing performance are adequate for all the attack scenarios in request-response communications. With other interaction patterns (i.e. spontaneous communications), we found instead that 2 out of 3 attacks are detected.
Place, publisher, year, edition, pages
Springer, 2018
Series
Lecture Notes in Computer Science, ISSN 0302-9743, E-ISSN 1611-3349
Keywords
SCADA, Industrial Control System (ICS), Anomaly detection, Traffic periodicity
National Category
Computer Systems
Identifiers
urn:nbn:se:liu:diva-154394 (URN)10.1007/978-3-319-99843-5_5 (DOI)000611548700005 ()978-3-319-99842-8 (ISBN)978-3-319-99843-5 (ISBN)
Conference
CRITIS, Lucca, Italy, 8-13 October, 2017
Projects
RICS (Resilient Information and Control Systems)
Available from: 2019-02-11 Created: 2019-02-11 Last updated: 2024-02-01Bibliographically approved
2. Understanding IEC-60870-5-104 Traffic Patterns in SCADA Networks
Open this publication in new window or tab >>Understanding IEC-60870-5-104 Traffic Patterns in SCADA Networks
2018 (English)In: Proceedings of the 4th ACM Workshop on Cyber-Physical System Security, NY, USA: ACM , 2018, p. 51-60Conference paper, Published paper (Refereed)
Abstract [en]

The IEC-60870-5-104 (IEC-104) protocol is commonly used in Supervisory Control and Data Acquisition (SCADA) networks to operate critical infrastructures, such as power stations. As the importance of SCADA security is growing, characterization and modeling of SCADA traffic for developing defense mechanisms based on the regularity of the polling mechanism used in SCADA systems has been studied, whereas the characterization of traffic caused by non-polling mechanisms, such as spontaneous events, has not been well-studied. This paper provides a first look at how the traffic flowing between SCADA components changes over time. It proposes a method built upon Probabilistic Suffix Tree (PST) to discover the underlying timing patterns of spontaneous events. In 11 out of 14 tested data sequences, we see evidence of existence of underlying patterns. Next, the prediction capability of the approach, useful for devising anomaly detection mechanisms, is studied. While some data patterns enable an 80% prediction possibility, more work is needed to tune the method for higher accuracy.
Place, publisher, year, edition, pages
NY, USA: ACM, 2018
Series
CPSS ’18
Keywords
iec-60870-5-104, probabilistic suffix tree(pst), scada, traffic patterns
National Category
Communication Systems
Identifiers
urn:nbn:se:liu:diva-154412 (URN)10.1145/3198458.3198460 (DOI)000461237800008 ()978-1-4503-5755-5 (ISBN)
Conference
CPSS, Incheon, Korea, June 4, 2018
Projects
RICS (Resilient Information and Control Systems)
Note

Funding agencies: Swedish Civil Contingencies Agency (MSB)

Available from: 2019-02-11 Created: 2019-02-11 Last updated: 2022-11-03Bibliographically approved
3. Timing Patterns and Correlations in Spontaneous SCADA Traffic for Anomaly Detection
Open this publication in new window or tab >>Timing Patterns and Correlations in Spontaneous SCADA Traffic for Anomaly Detection
2019 (English)In: PROCEEDINGS OF THE 22ND INTERNATIONAL SYMPOSIUM ON RESEARCH IN ATTACKS, INTRUSIONS AND DEFENSES, USENIX - The Advanced Computing Systems Association, 2019, p. 73-88Conference paper, Published paper (Refereed)
Abstract [en]

Supervisory Control and Data Acquisition (SCADA) systems operate critical infrastructures in our modern society despite their vulnerability to attacks and misuse. There are several anomaly detection systems based on the cycles of polling mechanisms used in SCADA systems, but the feasibility of anomaly detection systems based on non-polling traffic, so called spontaneous events, is not well-studied. This paper presents a novel approach to modeling the timing characteristics of spontaneous events in an IEC-60870-5-104 network and exploits the model for anomaly detection. The system is tested with a dataset from a real power utility with injected timing effects from two attack scenarios. One attack causes timing anomalies due to persistent malfunctioning in the field devices, and the other generates intermittent anomalies caused by malware on the field devices, which is considered as stealthy. The detection accuracy and timing performance are promising for all the experiments with persistent anomalies. With intermittent anomalies, we found that our approach is effective for anomalies in low-volume traffic or attacks lasting over 1 hour.
Place, publisher, year, edition, pages
USENIX - The Advanced Computing Systems Association, 2019
Keywords
Anomaly detection, SCADA systems, IEC-60870-5-104, Critical infrastructure
National Category
Computer Engineering
Identifiers
urn:nbn:se:liu:diva-161757 (URN)000527802800006 ()9781939133076 (ISBN)
Conference
22nd International Symposium on Research on Attacks, Intrusions, and Defenses (RAID), Beijing, China, September 23-25, 2019
Note

Funding Agencies: Swedish Civil Contingencies Agency (MSB) through the RICS project

Available from: 2019-11-08 Created: 2019-11-08 Last updated: 2024-01-26Bibliographically approved
4. A Comparative Analysis of Emulated and Real IEC-104 Spontaneous Traffic in Power System Networks
Open this publication in new window or tab >>A Comparative Analysis of Emulated and Real IEC-104 Spontaneous Traffic in Power System Networks
2021 (English)In: Cyber-Physical Security for Critical Infrastructures Protection: First International Workshop, CPS4CIP 2020, Guildford, UK, September 18, 2020, Revised Selected Papers / [ed] Abie, Habtamu; Ranise, Silvio; Verderame, Luca; Cambiaso, Enrico; Ugarelli, Rita; Giunta, Gabriele; Praça, Isabel; Battisti, Federica, Springer, 2021, p. 207-223Conference paper, Published paper (Refereed)
Abstract [en]

Supervisory and Data Acquisition (SCADA) systems control and monitor modern power networks. As attacks targeting SCADA systems are increasing, significant research is conducted to defend SCADA networks including variations of anomaly detection. Due to the sensitivity of real data, many defence mechanisms have been tested only in small testbeds or emulated traffic that were designed with assumptions on how SCADA systems behave. This work provides a timing characterization of IEC-104 spontaneous traffic and compares the results from emulated traffic and real traffic to verify if the network characteristics appearing in testbeds and emulated traffic coincide with real traffic. Among three verified characteristics, two of them appear in the real dataset but in a less regular way, and one does not appear in the collected real data. The insights from these observations are discussed in terms of presumed differences between emulated and real traffic and how those differences are generated.
Place, publisher, year, edition, pages
Springer, 2021
Series
Lecture Notes in Computer Science, ISSN 0302-9743, E-ISSN 1611-3349
Keywords
SCADA, Traffic characterization, IEC-104, Timing analysis
National Category
Computer Engineering
Identifiers
urn:nbn:se:liu:diva-189696 (URN)10.1007/978-3-030-69781-5_14 (DOI)2-s2.0-85102736813 (Scopus ID)9783030697808 (ISBN)9783030697815 (ISBN)
Conference
International Workshop on Cyber-Physical Security for Critical Infrastructures Protection
Funder
Swedish Civil Contingencies Agency
Available from: 2022-11-03 Created: 2022-11-03 Last updated: 2024-08-27
5. RICSel21 Data Collection: Attacks in a Virtual Power Network
Open this publication in new window or tab >>RICSel21 Data Collection: Attacks in a Virtual Power Network
Show others...
2021 (English)In: 2021 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm), Institute of Electrical and Electronics Engineers (IEEE), 2021, p. 201-206Conference paper, Published paper (Refereed)
Abstract [en]

Attacks against Supervisory Control and Data Acquisition (SCADA) systems operating critical infrastructures have increased since the appearance of Stuxnet. To defend critical infrastructures, security researchers need realistic datasets to evaluate and benchmark their defense mechanisms such as Anomaly Detection Systems (ADS). However, real-world data collected from critical infrastructures are too sensitive to share openly. Therefore, testbed datasets have become a viable option to balance the requirement of openness and realism. This study provides a data generation framework based on a virtual testbed with a commercial SCADA system and presents an openly available dataset called RICSel21, with packets in IEC-60870-5-104 protocol streams. The dataset is the result of performing 12 attacks, identifying the impact of attacks on a power management system and recording the logs of the seven successful attacks.
Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers (IEEE), 2021
Keywords
Computers, Protocols, Computer worms, Power system management, Conferences, SCADA systems, Benchmark testing
National Category
Computer Systems
Identifiers
urn:nbn:se:liu:diva-189699 (URN)10.1109/SmartGridComm51999.2021.9632328 (DOI)001445795700033 ()2-s2.0-85123913802 (Scopus ID)9781665430449 (ISBN)9781665415026 (ISBN)
Conference
IEEE International Conference on Smart Grid Communications (SmartGridComm), Aachen, Germany, 25-28 October, 2021
Funder
Swedish Civil Contingencies Agency
Available from: 2022-11-03 Created: 2022-11-03 Last updated: 2025-10-10Bibliographically approved

Open Access in DiVA

fulltext(5206 kB)1304 downloads
File information
File name FULLTEXT03.pdfFile size 5206 kBChecksum SHA-512
b2890b531327fc1340efdecb415fce891759527d3ac746c16b001bdc8397cdeac49dc75718db5267e2afa659c87737b1f49b7fe107d5a4ce01a0291c79eaff82
Type fulltextMimetype application/pdf
errata(122 kB)73 downloads
File information
File name ERRATA01.pdfFile size 122 kBChecksum SHA-512
70579d8568ca4f2eb34c544129e8c6d7645e2d641f937b89fe69c7fc20197521678fdfcd3c1dd4eb733bf26f8ef5967d865ad92ea9c47a06fddeb7a609a50aa3
Type errataMimetype application/pdf
Order online >>

Other links

Publisher's full text

Authority records

Lin, Chih-Yuan

Search in DiVA

By author/editor
Lin, Chih-Yuan
By organisation
Software and SystemsFaculty of Science & Engineering
Computer Systems

Search outside of DiVA

GoogleGoogle Scholar
Total: 1326 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

doi
isbn
urn-nbn

Altmetric score

doi
isbn
urn-nbn
Total: 2716 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • oxford
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
v. 2.47.0
|
Accessibility
|
DiVA portal
|
DiVA Log in
|
Contact us
|
LiU University Library
|
SwePub
|
Uppsök